/**
 * 
 */
package com.shy.base.shiro;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;

/**
 * <p>
 * Title:CustomRolesAuthorizationFilter
 * </p>
 * <p>
 * Description:AuthorizationFilter抽象类事项了javax.servlet.Filter接口，它是个过滤器。
 * 通过自定义的过濾器实现多個角色具有相同的权限訪問
 * </p>
 * <p>
 * Company:ipebg
 * </p>
 * 
 * @author H2013788
 * @date 2018/4/18
 */
public class CustomRolesAuthorizationFilter extends AuthorizationFilter {

    @Override
    protected boolean isAccessAllowed(ServletRequest req, ServletResponse resp, Object mappedValue)
            throws Exception {
        Subject subject = getSubject(req, resp);
        String[] rolesArray = (String[]) mappedValue;

        if (rolesArray == null || rolesArray.length == 0) { // 没有角色限制，有权限访问
            return true;
        }
        for (int i = 0; i < rolesArray.length; i++) {
            if (subject.hasRole(rolesArray[i])) { // 若当前用户是rolesArray中的任何一个，则有权限访问
                return true;
            }
        }
        return false;
    }

}
